You didn’t get the sarcasm in the previous email :) The issue is that you can not 100% block DoH w/o blocking HTTPs. You may block well-known domains and IPs but there are many unknown and for targeted attacks new servers can be created even behind legit (but compromised) websites.
Vadim > On Oct 2, 2019, at 10:04, Blason R <blaso...@gmail.com> wrote: > > Block 443? Not even possible since most of the portals/web servers now a days > works on TCP/443 > > On Wed, Oct 2, 2019 at 6:57 PM Alan Clegg <a...@clegg.com > <mailto:a...@clegg.com>> wrote: > On 10/2/19 8:00 AM, Blason R wrote: > > Hmm that is a good idea to block the DOH queries but what I understood > > is blocking on perimeter level would be more appropriate. > > To nullify the abilities of DoH, you can block port TCP/443. > > That is pretty much guaranteed to keep DoH from working, but you may > want to test this solution in the lab before you deploy widely. > > This method of controlling DoH may have side-effects. > > AlanC > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users > <https://lists.isc.org/mailman/listinfo/bind-users> to unsubscribe from this > list > > bind-users mailing list > bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> > https://lists.isc.org/mailman/listinfo/bind-users > <https://lists.isc.org/mailman/listinfo/bind-users> > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
